FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mailman -- CSRF protection enhancements

Affected packages
mailman < 2.1.23

Details

VuXML ID b11ab01b-6e19-11e6-ab24-080027ef73ec
Discovery 2016-08-19
Entry 2016-08-29

Mark Sapiro reports:

CSRF protection has been extended to the user options page. This was actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and intended for Mailman 2.1.15, but that fix wasn't completely merged at the time. The full fix also addresses the admindb, and edithtml pages as well as the user options page and the previously fixed admin pages. Thanks to Nishant Agarwala for reporting the issue.

References

CVE Name CVE-2016-6893
URL http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1668
URL https://mail.python.org/pipermail/mailman-announce/2016-August/000226.html